handle 'date' and 'main' lookups, expand 'env' #2
Conversation
The logic for these lookups is simple and lossy, but that's acceptable since we can at least report that these lookups will be made. For some users it is reasonable to simply reject a log line at the presence of `main` or `date`, regardless of later findings. For other users, it doesn't seem possible to have a general transformation between a `main` or `date` lookup, and a string useful to build other more concerning lookup tokens (like `jndi` or `env`).
awortman-fastly
changed the title
src/lib.rs
Outdated
| // | ||
| // Report the `main` handler for the possible information disclosure risk, then assume | ||
| // empty string expansion in case this was just obfuscatory. | ||
| ("".into(), Some(Handler::Main)) |
There was a problem hiding this comment.
Should this be default.into()? I'm not entirely sure of the semantics around main. What happens in the case of ${main:blahblah:-jndi}?
There was a problem hiding this comment.
this should be default.into(), i incorrectly thought main did not support default value syntax.
| // select substrings, so month/day strings aren't useful for building an unaccepatble | ||
| // handler. Assume that if `${date:...}` is showing up in an interesting place, it will be | ||
| // with some format string that expands to empty string. | ||
| ("".into(), Some(Handler::Date)) |
There was a problem hiding this comment.
Same question here as for main: should this be default.into()?
There was a problem hiding this comment.
date doesn't seem to support the default value syntax, so a bad substitution ends up being the empty string. i've been consulting https://logging.apache.org/log4j/2.x/manual/lookups.html#AppMainArgsLookup and looking for default around where the lookup is defined to see if's permitted or not (haven't found where in the source default values are actually interpolated..)
The logic for these lookups is simple and lossy, but that's acceptable
since we can at least report that these lookups will be made. For some
users it is reasonable to simply reject a log line at the presence of
mainordate, regardless of later findings. For other users, itdoesn't seem possible to have a general transformation between a
mainor
datelookup, and a string useful to build other more concerninglookup tokens (like
jndiorenv).edit: also adjusted the
envexpansion to assume that env vars are for undefined variables (so, expand to""), but use a default value if one is provided -${env:UNDEFINED:-hello}should expand tohello.